SSL host checking and LWP::UserAgent

I needed to turn on host validation and coincidentally the new major release of LWP::UserAgent does that by default now!  The one problem I had was that there wasn’t a root certificate I needed included in it’s standard bundle (well the Mozilla one in the Mozilla::CA dist).  I already suspected that would be the case since I’d noticed Firefox didn’t like the sites certificate so I just had to figure out how to authenticate this site.

Looking at the certificate I could see that it was provided by ‘GlobalSign’ so I had a look on their website for the root certificates I’d need.  They provided it in what they call their ‘Domain root validation bundle’.

These seem to be normally in the format of base64 text encapsulated by ‘—–BEGIN CERTIFICATE—–’ and headers ‘—–END CERTIFICATE—–’.  This seems to be the format of the .pem files LWP::UserAgent wants to use.  There can actually be multiple certificates in a single file as there is in the case of the bundle from GlobalSign.

If you save them to bundle.pem this little snippet will just check you can download a url from a site correctly.

require LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->ssl_opts( SSL_ca_file => './bundle.pem' );
my $response = $ua->get('https://somesite/');
print "URL check ", $response->is_success ? 'succeeded' : 'failed', "\n";

If you’re using your own certificate you should be able to use your own *cert.pem file in place of the bundle.pem.  In the case of for example I was able to download the cert by exporting it via Chrome and point to it in the same manner. 

That solved my problem although as I was investigating this some more I must confess this doesn’t look like the whole story in some ways.  A look at the GlobalSign site suggests they are supported by Mozilla (and Firefox) which confuses things a little.  It appears there are different types of certificate they issue and the ones I’m having to deal with aren’t included in that deal?

One additional note, if your LWP::UserAgent is deeply embedded in something else and you can’t get to it to set the config there are environment variables you can use instead.  Just check the documentation for LWP::UserAgent.


2 thoughts on “SSL host checking and LWP::UserAgent

  1. For the Metabase submissions through the CPAN client, I threw together a hypothetical distribution that bundles the certificate with modules to subclass the actual modules and verify the bundled SSL certificate with the actual one. This, though, it probably not a real solution, as should probably be signed by a CA (if even a CA that was created by CPAN Testers and that CA cert included with a distribution).

    I’ve posted my distribution simply as a gist at

  2. Pingback: thoughts of a doug ~

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s